1 Overview

Oracle Enterprise Manager Ops Center is a data center management solution for managing both hardware and software from one console. This document presents good practices for managing the security of Oracle Enterprise Manager Ops Center deployments.

1.1 Product Architecture

The Oracle Enterprise Manager Ops Center software has a distributed architecture with a single master controller (Enterprise Controller) and multiple controllers (Proxy Controllers). Each Proxy Controller connects either to multiple Agent Controllers hosted on an Operating System instance or to managed systems or to both. Figure 1-1 shows a deployment with one Proxy Controller, which can be located on the same system as the Enterprise Controller.

1.1.1 Knowledge Base (KB) and Package Repository

The Knowledge Base is the repository for metadata about Oracle Solaris 10-8 and Linux OS components, which resides on Oracle's website. Oracle Enterprise Manager Ops Center can connect to the Knowledge Base through the Internet to obtain OS updates and updates to the product software itself. In a similar way, the Enterprise Controller can get access to the Oracle Solaris 11 Package Repository for updates to components of Oracle Solaris 11.

1.1.2 Enterprise Controller

The Enterprise Controller is the central server for Oracle Enterprise Manager Ops Center and there is only one Enterprise Controller in each installation. The Enterprise Controller stores firmware and OS images, plans, profiles, and policies. The Enterprise Controller also stores the asset data and site customizations in a database and hosts the web container for the user interface components. The Enterprise Controller handles all user authentication and authorization. All operations are initiated from the Enterprise Controller.

Although the Enterprise Controller stores firmware and OS images, these images are not included in a backup of the Enterprise Controller. As a good practice, create the software library for OS images on networked storage (NAS). Then include the network storage device in your site's backup plan.

1.1.3 Proxy Controller

A Proxy Controller links the managed assets to the Enterprise Controller and acts for the Enterprise Controller in operations that must be located close to managed assets, such as OS provisioning. The Proxy Controller provides fan-out capabilities to minimize network load and to support complex network topologies. The Proxy Controller also contains the logic for agent-less monitoring and management of hardware.

1.1.4 Agent Controller

An Agent is lightweight Java software that represents and manages an OS asset or OS instance and responds to requests from a Proxy Controller. Hardware management does not require an agent. The Agent receives the command, performs the required action, and reports results to the Proxy Controller. An agent never communicates directly with the Enterprise Controller.

1.1.5 Database

The Enterprise Controller uses an Oracle Database 11g Enterprise Edition database to store Oracle Enterprise Manager Ops Center data. The database can be local or remote:

The local database is embedded in the Enterprise Controller, created during product installation.

A remote database is a new or existing customer-managed database.

Oracle Enterprise Manager Ops Center provides utilities to help you manage the local database, migrate your data from a local database to a customer-managed database, back up and recover the database schema, and change database credentials.

1.1.6 Securing the Architecture

For a secure deployment, each communication direction must be protected. Use the procedures in Table 1-1to secure each connection.

1.1.7 Authentication Between the Proxy Controller and Agents

In the normal operation of the product, various Proxy Controllers make requests for asset data or status and receive the response from each asset. For each transaction, the Proxy Controller must authenticate the asset and each asset must authenticate the Proxy Controller, as described in the next section. For an agentless-managed asset, authentication requires an SSH password as described in Credential Management for Assets. An alternative procedure for an OS asset that does not require a password is to install a token manually, also described in that section.

1.1.7.1 Authentication of Agent-Managed Asset

For an agent-managed asset, authentication is configured when the asset is discovered and managed. The Enterprise Controller installs an agent controller on the asset. This triggers two actions:

1.1.7.2 Authentication Transactions

Agent confirms this certificate with the already-accepted certificate saved in /var/opt/sun/xvm/security/jsse/scn-agent/truststore. This is the SSL handshake.

If the agent does not confirm the Proxy Controller's certificate, the SSL handshake fails. No data is sent. This protects against an interloper.

When an agent responds to an inquiry:

Agent creates a string from the client reg ID and the private key. The string is its signature

Agent sends an HTTPS POST of the signature and the requested data to the Proxy Controller.

Proxy Controller retrieves the public key for the agent's client reg ID from the database.

Proxy Controller verifies that the message's signature was created from the private key that matches the public key.

If the Proxy Controller detects that the message's private key does not match the public key, the Proxy Controller does not allow the connection. This protects against an entity misrepresenting itself as the agent.

1.2 General Principles of Security

This section describes the principles fundamental to using the software securely.

1.2.1 Keep Software Up To Date

Good security is maintained when all software versions and patches are up to date. This document discusses Oracle Enterprise Manager Ops Center version 12c Release 1 (12.1.4.0.0). As new versions or updates of Oracle Enterprise Manager Ops Center become available, install the new software as soon as possible.

1.2.2 Restrict Network Access

Firewalls restrict access to systems to a specific network route that can be monitored and controlled. When firewalls are used in combination, they create a DMZ, a term for a subnetwork that controls access from an untrusted network to the trusted network. Using firewalls to create a DMZ provide two essential functions:

Blocks traffic types that are known to be illegal.

Contains any intrusion that attempts to take over processes or processors.

In your deployment, design an environment that locates the Enterprise Controller's system in a DMZ, that is, with a firewall between the system and the Internet and a firewall between the system and the corporate intranet, as in Figure 1-2. This type of environment allows the Enterprise Controller to get access to the Internet to perform operations while in Connected mode, and restricts access to assets to only those operations that manage the assets. When the Enterprise Controller is in Disconnected mode, it operates without access to the Internet.

When a Proxy Controller is deployed on a network outside of the firewall, the SSH Tunnel and Port 21161 change the direction of communication so that the remote Proxy Controller does not initiate communication with the Enterprise Controller.

Proxy Controller to ALOM Service Processors

SSH, TCP: Port 22 or Telnet, TCP: Port 23

SNMP, UDP: Port 161

TCP: Port 6481 (for discovery by service tags)

ICMP, Type 8 Code 0

Proxy Controller discovers, manages, and monitors the service processor.

Proxy Controller to ILOM Service Processors

SSH, TCP: Port 22

SNMP, UDP: Port 161

IPMI, TCP, UDP: Port 623

TCP: Port 6481 (for discovery by service tags)

ICMP, Type 8 Code 0

Proxy Controller discovers, manages, and monitors the service processor.

Proxy Controller to ALOM or XCSF Service Processor

FTP, TCP: Port 21

Proxy Controller provisions firmware on an ALOM service processor. Port 21 transfers the firmware image. A transient random port is opened for the duration of the operation.

Proxy Controller to ILOM Service Processor

TFTP, UDP: Port 69

Proxy Controller provisions firmware on an ILOM service processor. Port 69 transfers the firmware image. A transient random port is opened for the duration of the operation.

Service Processor to Proxy Controller

SNMP, UDP: Port 162

ICMP ping: Type 0 (echo reply)

For monitoring hardware, the service processor sends SNMP traps to the Proxy Controller.

For monitoring assets, the Agent Controller sends trap notifications and fault management alerts (FMA) to the Proxy Controller as local traffic. Because the Proxy Controller is using Port 162, a co-located Agent Controller uses Port 1162, if it is available, or a port in the range of Ports 1100 through 1200.

Java client to public APIs

TLS: Port 11172

JMX access from clients

WMI client on Proxy Controller to Agent Controller

Port 11162

WMI client resides on the Proxy Controller and communicates with the WMI server on the Agent Controller.

The Proxy Controller uses the DCOM protocol to monitor a Windows system. The Proxy Controller opens a TCP connection to the Windows DCOM registry port, TCP 135, which provides a lookup service to the WMI scripting DCOM object. The Proxy Controller connects to the DCOM object. The port number for this connection is allocated by the Windows system.

Proxy Controller to NFS server

Use an NFS server that is on the same side of the firewall as the Proxy Controller.

Refer to your OS documentation to set up the NFS server.

Proxy Controller pulls provisioning images from NAS Library

Global Zones or Oracle VM Servers to NFS server

Use an NFS server that is on the same side of the firewall as the Proxy Controller.

1.2.3 Follow the Principle of Least Privilege

The principle of least privilege states that users are given the lowest level of permissions to perform their tasks. Granting roles or privileges in excess of a user's responsibilities leaves a system open for non-compliance. Review privileges periodically to determine whether they remain appropriate for each user's current job responsibilities.

You give each user a set of roles, which determine the tasks the user can and cannot perform, and a set of privileges which specify the assets, networks, or other objects to which the user's roles apply. This gives you fine-grained control of the actions that users can take.

1.2.3.1 Role Requirement for Tasks

Table 1-4 shows the permission needed to perform each action. Oracle Enterprise Manager Ops Center groups permissions into roles and assigns one or more roles to a user account. Table 1-5 shows the permissions granted by each role.

Table 1-4 Tasks and Permissions

Tasks

Permission

Read Access

Read Access

Add Assets

Find Assets

Discover Assets

Manage Assets

Delete Assets

Manage Assets

Create Group

Edit Group

Add Assets to Group

Delete Group

Asset Group Management

New Update OS Job

Deploy or Update Software

Compare System Catalog

Create Catalog Snapshot

View and Modify Catalog

Update

New Simulated OS Update Job

Update Simulation

Configure and Deploy Server

Install Server

Configure RAID

Server Deployment

Add or delete storage

Assign or detach network

Start Guest

Shut Down Guest

Migrate Guest

Clone Guest

Lifecycle actions

Virtualization Guest Management

Assign Incidents

Add Annotation to incidents

Acknowledge incidents

Take Actions on Incidents

Mark Incidents as Repaired

Close Incidents

Delete Notifications

Take Actions on Notification

Fault Management

Update Management Credentials

Any Actions related to changing credentials

Credential Management

Edit Network Domain

Edit Network Attributes

Edit Network Services

Network Management

Fabric Management

Fabric Management

Import ISO

Upload image

Edit Attributes

Storage Management

Create reports

Delete reports

Report Management

Create, delete, and modify profiles and plans

Plan/Profile Management

Create/Update/Delete Instance

Attach/Detach Volume to Instance

Create/Delete/Update Security Group

Create/Update/Delete Volume

Upload/Register/Delete templates

Create/RollbackTo/Delete Snapshot

Shutdown All servers

Link/Launch OVAB

Cloud Usage

Create/Delete/Update Cloud

Create/Delete/Update Cloud Domain

Create Public Security Group

Share Public Security Group

Create VM Instance Type

Cloud Management

Manage Enterprise Controller

Enterprise Controller Management

Unconfigure/Uninstall Proxy Controller

Configure Agent Controller

Unconfigure Agent Controller

DHCP configuration

Subnets

External DHCP Servers

Proxy Controller Management

Configure/Connect

Disconnect/Unconfigure

Cloud Control Console

Cloud Control Management

Unconfigure

SCCM Configuration

Windows Update Management

Add Users

Remove Users

User Management

Assign Roles

Role Management

Asset Management

Asset Management

Write Access

Write Access

Open Service Request

Service Request

Power On

Power Off

Power on with Net Boot

Set Power Policy

Power Management

Chassis Management

Chassis Management

Storage Server Management

Storage Server Management

Launch Switch UI

Switch Management

Reset Servers

Reset Service Processors

Refresh

Locator Light On/Off

Snapshot Bios Configuration

Update Bios Configuration

Server Management

Reboot

Upgrade Agent Controller

Operating System Management

Cluster Management

Cluster Management

Aggregate Links

Link Aggregation

IPMP Groups

IPMP Groups

Update Firmware

Update Firmware

Upgrade Proxy Controller

Proxy Controller Upgrade

Execute Operation

Operation Execution

Unconfigure Enterprise Controller

Unconfigure EC

Add Product Alias

Add Product Alias

Upgrade Enterprise Controller

EC Upgrade

Set Enterprise Controller Storage Library

EC Storage Library Management

Configure Local Agent

Unconfigure Local Agent

EC Local Agent Management

Proxy Deployment Wizard

EC Proxy Management

Set up Connection Mode

EC Connection Mode Management

Register Enterprise Controller

EC Registration

Change HTTP Proxy

EC HTTP Proxy Management

Edit Energy Cost

EC Energy Cost Management

Ops Center Downloads

Ops Center Downloads

Activate Boot Env and Reboot

Create New Boot Env.

Synchronize Boot Env.

Boot Environment Management

Create Server Pool

Server Pool Creation

Delete Server Pool

Server Pool Deletion

Rebalance Resource

Edit Server Pool Attribute

Attach Network to Server Pool

Associate Library to Server Pool

Add/Remove Virtual Host

Server Pool Management

Create OVM virtual Servers

Create zone servers

Create Logical Domains

Server Pool Usage

Create Virtualization Host

Virtualization Host Creation

Delete Virtualization Host

Virtualization Host Deletion

Add/Remove Virtual Host to/from Server Pool

Edit Tags

Edit Attributes

Reboot

Change Routing Configuration

Change NFS4 Domain

Change Naming Service

Change Remote Logging Configuration

Virtualization Host Management

Create Logical Domains

Create zones

Create OVM virtual servers

Virtualization Host Usage

Create Logical Domains

Create zones

Create OVM virtual servers

Virtualization Guest Creation

Delete Logic Domain

Delete Zones

Delete OVM Virtual Servers.

Virtualization Guest Deletion

Start Guest

Shutdown Guest

Migrate Guest

Clone Guest

Virtualization Guest Usage

Create Library

Storage Creation

Delete Library

Storage Deletion

Associate Library

Storage Usage

Create Network Domain

Create Network

Network Creation

Delete Network Domain

Delete Network

Network Deletion

Assign Network

Connect Guests

Network Usage

Create Fabric

Fabric Creation

Delete Fabric

Fabric Deletion

Fabric Management

Fabric Usage

Chassis Usage

Chassis Usage

Storage Server Usage

Storage Server Usage

Switch Usage

Switch Usage

Launch LOM Controller

Edit Tags

Server Usage

Edit Tags

Edit Attributes

Operating System Usage

Create Rack

Rack Creation

Directory Server Management

Directory Server Management

Power Distribution Unit Usage

Power Distribution Unit Usage

Power Distribution Unit Management

Power Distribution Unit Management

Rack Creation

Rack Creation

Rack Deletion

Rack Deletion

Rack Management

Rack Management

Rack Usage

Rack Usage

OVM Manager Usage

OVM Manager Usage

OVM Manager Management

OVM Manager Management

Network Domain Creation

Network Domain Creation

Network Domain Deletion

Network Domain Deletion

Network Domain Management

Network Domain Management

Network Domain Usage

Network Domain Usage

Asset Network Management

Asset Network Management

Job Management

Job Management

Table 1-5 Roles and Permissions

Role

Permissions

Asset Admin

Asset Group Management

Asset Management

Asset Network Management

Boot Environment Management

Chassis Management

Chassis Usage

Cluster Management

Discover Assets

IPMP Groups

Link Aggregation

Manage Assets

Network Management

Operating System Management

Operating System Usage

Power Distribution Unit Management

Power Distribution Unit Usage

Power Management

Rack Creation

Rack Deletion

Rack Management

Rack Usage

Read Access

Server Management

Server Usage

Service Request

Storage Server Management

Storage Server Usage

Switch Management

Switch Usage

Write Access

Cloud Admin

Asset Management

Asset Network Management

Cloud Management

Cloud Usage

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Manage Assets

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

OVM Manager Management

OVM Manager Usage

Profile Plan Management

Read Access

Role Management

Server Management

Server Pool Management

Server Pool Usage

Server Usage

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Management

Switch Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Management

Virtualization Host Usage

Write Access

Cloud User

Asset Management

Asset Network Management

Cloud Usage

Fabric Creation

Fabric Deletion

Fabric Usage

Manage Assets

Network Creation

Network Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

OVM Manager Usage

Read Access

Server Pool Usage

Server Usage

Storage Management

Storage Server Usage

Storage Usage

Switch Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Management

Virtualization Host Usage

Write Access

Exalogic Systems Admin

Asset Management

Credential Management

Directory Server Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Registration

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

Job Management

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

Operation Execution

OVM Manager Management

OVM Manager Usage

Power Distribution Unit Management

Power Distribution Unit Usage

Profile Plan Management

Proxy Controller Management

Read Access

Report Management

Role Management

Server Deployment

Server Management

Server Usage

Service Request

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Usage

Update Firmware

User Management

Write Access

Fault Admin

Fault Management

Read Access

Write Access

Network Admin

Asset Management

Asset Network Management

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Read Access

Write Access

Ops Center Admin

Add Product Alias

Discover Assets

EC Connection Mode Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Local Agent Management

EC Proxy Management

EC Registration

EC Storage Library Management

EC Upgrade

Enterprise Controller Management

Cloud Control Management

Job Management

Manage Assets

Ops Center Downloads

OVM Manager Management

OVM Manager Usage

Proxy Controller Management

Proxy Controller Upgrade

Read Access

Unconfigure EC

Windows Update Management

Write Access

Plan/Profile Admin

Plan/Profile Management

Read Access

Write Access

Read

Read Access

Report Admin

Read Access

Report Management

Update Simulation

Write Access

Role Management Admin

Read Access

Role Management

Write Access

Security Admin

Credential Management

Read Access

Write Access

Apply Deployment Plans

Operation Execution

Read Access

Server Deployment

Update Firmware

Write Access

Storage Admin

Asset Management

Read Access

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Write Access

Supercluster Systems Admin

Asset Management

Cluster Management

Credential Management

Directory Server Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Registration

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

Job Management

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

Operation Execution

Power Distribution Unit Management

Power Distribution Unit Usage

Profile Plan Management

Proxy Controller Management

Read Access

Report Management

Role Management

Server Deployment

Server Management

Server Usage

Service Request

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Usage

Update Firmware

User Management

Write Access

Update Admin

Boot Environment Management

Read Access

Update

Update Simulation

Windows Update Management

Write Access

Update Simulation Admin

Read Access

Update Simulation

Write Access

User Management Admin

Directory Server Management

Read Access

User Management

Write Access

Virtualization Admin

Asset Management

Asset Network Management

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Manage Assets

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

OVM Manager Management

OVM Manager Usage

Read Access

Server Deployment

Server Management

Server Pool Creation

Server Pool Deletion

Server Pool Management

Server Pool Usage

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Creation

Virtualization Host Deletion

Virtualization Host Management

Virtualization Host Usage

Write Access

1.2.3.2 Assigning Roles and Privileges to a User

The user accounts are created from the local authentication subsystem of the Enterprise Controller's operating system or from a separate directory server, as described inConfiguring an LDAP Server.

You must have the Role Admin role to grant roles to user accounts and to change privileges.

Select Administration in the Navigation pane.

Click the Roles tab. The Roles page is displayed.

Select a user from the list of users.

Click the Manage User Roles icon.

Add or remove one or more roles from the roles list. By default, a user has all the permissions of the assigned role. To control the scope of a user's role, remove a specific permission:

Deselect the Use the default Role associations box. Click Next.

The privileges for each type of target are displayed on separate pages. Select the roles to apply to each target, then click Next.

The Summary page is displayed. Review the roles and privileges assigned to the user, then click Finish.

1.2.4 Monitor System Activity

Oracle Enterprise Manager Ops Center performs each action as a job. The details of a job show the order of operations in the job and the managed assets that were targets of the job. You can view the details of a job from either the browser or the command-line interface. Oracle Enterprise Manager Ops Center stores each job until the job is deleted explicitly.

In addition to the jobs record, log files can be a source of activity records. Logs are written during operations and can provide additional detail about system activity. Log files are protected by file permissions and therefore requires a privileged user to get access to them.

1.2.4.1 User Activity

User session activity is included in the BUI log file and in the audit-logs file, which also include activity from the command-line interface.:

/var/opt/sun/xvm/logs/emoc.log has the following format with the timestamp:

On each Linux Proxy Controller: /var/opt/sun/cacao/instances/scn-proxy/logs/cacao.n

1.2.4.3 High Availability

When Oracle Enterprise Manager Ops Center is in a High Availability configuration, each Enterprise Controller is a Clusterware node. The Clusterware resource activity is logged and the following log file is updated each time the active Enterprise Controller's resource action script's check() function is executed. The default interval is 60 seconds.

On Oracle Solaris: /var/opt/sun/xvm/ha/EnterpriseController.log

1.2.4.4 Software Updates

The Software Update component has its own server with its own logs. The following logs provide information on the activity for this server: